search

akrennmair / newsbeuter

Newsbeuter is an open-source RSS/Atom feed reader for text terminals.
http://www.newsbeuter.org/
MIT License
780 stars 97 forks source link

[CVE-2017-14500] Remote code execution in Podebuter #598

Open Minoru opened 7 years ago

Minoru commented 7 years ago

Dear users,

On the heels of the previous vulnerability we have a similar one in Podbeuter, discovered by @noctux.

An attacker can craft an RSS item where the name of media enclosure (the podcast file) contains shell code. When user plays the file in Podbeuter, the shell code will be executed. If you're using Podbeuter only to download podcasts, not play them, you're safe.

Podbeuter versions 0.3 through 2.9 are affected.

I'm still waiting for CVE. (Submitted a request to MITRE on August 27th, pinged them on September 9th, but got nothing back.)

Workaround

Don't play any podcasts in Podbeuter until you apply the fix.

Resolution

A fix has already been pushed to our Git repository: https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260

A patch for 2.9 is also available: https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333

I'll notify oss-security@lists.openwall.com, so distributions ought to pick this up soon enough.

carnil commented 7 years ago

This issue has been assigned CVE-2017-14500